On Mon, Jun 03, 2013 at 04:30:19PM -0400, Dmitri Pal wrote: > On 06/03/2013 02:23 PM, Aly Khimji wrote: > > Quick questions guys, > > > > can you advise if there is a particular place(s) successful and failed > > users authentication is logged? I know from local users I can go > > through the 389 access logs, but for trust based users can you advise > > where I would look? I know i see a proper ticket issued in krb5kdc > > logs, but mainly for failed logins. > > What is the scenario? > Is this: user from AD logs into a Linux system that is joined into IPA > via SSSD? > In this case the authentication happens in AD so the audit trail will be > there. > Once this user tries to access a resource in IPA domain there will be a > record of issuing this user a service ticket in the kerberos log. > > The users always get TGTs from the domain they belong to so the record > will be in the log of the corresponding KDC.
Are you using ssh to log in to the IPA client or is this a console login? In the first case logs from sshd might help. Typically issues here are related to access checks and mapping the Kerberos principal to a local user name. See e.g. http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Edit_.2Fetc.2Fkrb5.conf how to configure the auth_to_local feature. Please note that Kerberos principals are handled case sensitive here, i.e. if you AD users name use upper and lower case you have to use the same case at the ssh login prompt. Alternatively you can add a .k5login file in the users home directory on the IPA client. For console login the sssd logs is the best source to figure out what's going wrong, HTH bye, Sumit > > > > > > Thx > > > > Aly > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipaemail@example.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users